Spambots stealing GMail and Hotmail passwords?

Welcome to stwoxy.com ! We are one of the largest electronic distributors
and wholesalers in Beijing China. We offer qualified digital products:
Motorcycles?TVs, Notebooks, phones. PSP, projectors, GPS, DVD, DV, DC, MP3/4
and so on, which are of world famous brands, such as Sony, IBM, PHILIPS,
NOKIA, DELL and so on. All our items are brand new from the manufactures
and they come with 1-3 years’ after service. These days we are expanding our
overseas market, and every item is sold in extremely low price. Such
chances should never be missed, ladies and gentlemen, do come to
stwoxy.com! you will surely have a big surprise! We are looking
forward to hearing
from you!

It was sent from a HTTP connection into GMail, and was delivered from there
using valid DKIM, Domain Keys and SPF signatures. In addition, it was sent to
all the addresses in his address book. In other words, this was no
run-of-the-mill impersonation spam — for this one, the spammer obtained my
friend’s username and password somehow, logged into GMail, scraped the address
book, and then sent spam via GMail that way.

My friend says he didn’t access GMail using a desktop mail client, but did have
his Google password saved in his web browser (a pretty typical configuration).
My theory is that some virus/malware has infected his desktop machine, captured
the saved-passwords file from the web browser configuration, and used that to
log into GMail. Alternatively, it could also be a guessable username and password which was picked up
via dictionary attack, I guess…

This is the first case I’ve heard of where spammers are actively stealing
user account authentication tokens, in order to take over the accounts for
spamming. (We’d long predicted it, of course, since it’s a natural response to
“pay for mail” schemes… but since there’s no widely-used pay-for-mail system
available yet, it’s premature!)

If you’re curious, here’s a copy of the spam, delivered to a Yahoo! group; it appears these spammers aren’t too sophisticated in terms of the text they’re sending, since they haven’t morphed that text, HTML, or even the domain in the link yet. It’s just the malware that’s sophisticated, at this stage.

44 Comments

Another guess for where “they” got his credentials: One of the many sites that offers to scan your GMail contacts list and invite your friends. Only a matter of time until phishers start using that anti-pattern.

Various malware strains have been stealing passwords for some time now, some even leaking every POST request to their masters. The bad guys’ problem is that, this being the web, they need somebody to write code to process essentially free-form data for the different web services.

Spam being sent from their hotmail account. They changed their password to one that hotmail says is very strong. Anti-Virus products didn’t find anything but anti-spyware tools found a bunch of stuff. The tools were unable to ‘repair’ 4 of the spyware infestations found (see original comment for list).

None of that helped, cause within days (at most) their hotmail spam-sending problem apparently returned.

Bit of a mini-epidemic going on, from the sounds of things! scary stuff.

If it was only GMail, I’d surmise it might be something to do with the cross-site referrer forgery hole which was actively being exploited to steal accounts recently; but Hotmail and Y! Mail as well makes that unlikely to be it alone.

@Donncha — yes, typically in most cases spamware and malware command+control is smart software being run by not-so-smart people ;) I’d say that’s the case here.

We are a wholesaler which deal with electronic products, such as: Mobile,TV,PC,DV,DC,games,MP3 Even motorcycles and musical instruments. Delivering our items by EMS to our customers around the world, The link pointed to the site www dot ems dot com dot cn’

I got the Beijing spam today, adorned with an eBay logo, oddly enough.

I think it happened because, for the first time on Sunday, I set Hotmail to open the mailbox automatically. With luck, resetting the password and not setting the account so it askes for my passowrd every time will fix this, unless they have downloaded all my contacts (unlikely, but not impossible). I have had dozens of bouncebacks, so many people’s spamcatchers are efficient and up to date. It’s not as bad as getting physically burgled, but it is annoying nonetheless, and the contacts who received the spam will think I am a bit of a fool, or worse, but hey – nobody died…

My friend just got her hotmail account compromised and all her contacts were sent a spam from her. It was a generic request to visit a European consumer electronics shop. The things that narrows her case down are these: She doesn’t use pop mail at all. She only uses web based hotmail. She works on only newer macs. That kind of (but not completely) rules out a virus. Probably not a compromised browser. I’m wondering if a script ran a brute force attack on her password. They would have to know her login/email address from the start though. Judging from her password a brute force would take a few days. That seems like a lot of resources to dedicate to one crack and resulting in only one round of contact spamming.

This has just happened to my Grandma…but on a PowerPC Mac Mini. Is there a way to fix this short of starting a new account?
I really hope so, she’s 80 and easily confused.
She uses Eudora I think, and if Mike’s friend is running an Intel Mac then it probably is web based.

@ice_cold_irony – I think she can keep the existing account. Just change the password to something much harder to guess, and check all the settings (especially mail forwarding, password reminders, etc.) to ensure they’re not leaking info or set up to be a back door in future. I think you’ll have to help her there… ;)

I’ve had the same issue just begin yesterday. All computers have been scanned for viruses/spyware/malware, passwords changed to strong, i deleted my contacts list (and forgot to export it first so its all gone now :*( ) But hope that sorts it out.

Only access Gmail through web, running on PCs, not many viruses or malware or spyware found. What i did find was a keylogger on one of my pcs. Hope this problem goes away soon. =/

Since i store passwords for other things (website, other emails, forum accounts, etc) on gmail as well, should i go and change them all? (there are SO many of them)

The same thing just happened to me, emailing all of my work colleagues from my hotmail account. Spam began:

Dear friend:
We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.

My hotmail password wasn’t easy and I was not set to login automatically..password still required every time. This is the SECOND time that this has happened….I have essentially just deleted all my Hotmail contacts and I will cease to use hotmail.

I read another theory that somehow they are exploiting inactive eBay accounts , or Facebook accounts.

It’s seems that it has nothing to do with you email account being compromised, at least in my Grandma’s case. It doesn’t harvest any contact info it just puts your address as the Return Addy.
For my Gram a couple of days after I posted this the Returns just dried up. Sputtered off over a few days. A girl I know had the same thing happen to her Hotmail account and again it just seemed to dry up.
So it seems that someone has written a script to harvest email addresses from god knows where and when a spam filter rejects the message it comes back to you.
How I explained it to my Gram, some wierdo is sending flyers out in the mail, but putting your address as the return, people say “this is junk” stick it back in the mail, and it goes back to your house.
Not an elegant explanation but it works for non techies.

The following email was sent to my entire contact list today. A few email addresses I don’t recognize, but maybe I just don’t remember emailing them. All in the “To:” field. Nothing in the sent box.

I don’t click on random links or share my password, or reset anything I didn’t initiate. I just did a spyware scan on my home machine yesterday and I use Ubuntu at work. I did use the import friends from Gmail thing on Facebook a few weeks ago, which requires entering your email and password, and presumably Facebook accessing your address book.

We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.

This incident happened on my Hotmail account.
My antivirus discovered a trojan from a specific application (http://www.download.com/3642-20_4-3010990.html?sb=3) that i hadn’t used for days.
Apart from that, i suspect 3rd party tools that we use to access messenger from, like trillian, agile messenger and so on… Any thoughts on that?

My gmail just got hijacked, and I’m actually impressed since I’m very security conscious (always use https, don’t save passwords, use Firefox, etc.) – this is the first time anyone’s been able to hack any of my accounts.

Some lamer just sent this spam to my entire addressbook promoting qqvok.com

We are wholesale company which can offer you laptops, digital cameras, videos, GPS?cell phone, mp4, game console and many other electron products. We can offer you both highest quality products and best price. Also we could give you favorable discount if you order more. All of our products are brand new and original; if you need any help, please contact us.

Something or Someone managed to turn hotmails vacation mode on, Sending out SPAM email sent to all contacts, Promoting

“Heya,how are you doing recently ? I would like to introduce you a very good company which i knew.Their website is http://www.epurchasenet.com .They can offer you all kinds of electronical products which you need like laptops ,gps ,TV LCD,cell phones,ps3,MP3/4,motorcycles etc……..Please take some time to have a check ,there must be somethings you ‘d like to purchase .
Their contact email: [email protected]. MSN: [email protected]
Hope you have a good mood in shopping from their company !”

like other comments above i regard myself as quite security conscious. Using Firefox 3 on Brand New Intel iMac. Cannot work out what it could be, Norton Antivirus comes up with negative scans and this mac is only a week old, not visited any warez websites or downloaded anything dodgy. This seems very strange. Need to find a solution.

I have had my hotmail account hacked today in the same fashion. I can’t believe that I have trawled the internet and NO one can find a straight answer with evidence as to what this is. I have done virus scans with Avast which have found nothing. I have changed my hotmail password but am wondering is this going to happen again?

Alan: It happened to me twice through my hotmail account: once on a PC and once on a Mac. It was embarrassing as it sent the email to my superiors at work, students, etc…

I am not extremely literate, but like you, I could not find a solution on the internet. Talking to the tekkies at my computer store, the two pieces of advice I got were:
1) Change your hotmail password to something really difficult to hack
OR
2) Delete your hotmail account altogether. I couldn’t really do this entirely as it would have been a logisitical nightmare, so instead I opened a more secure mac email account, and deleted all the contacts from my hotmail after transferring them to the mac.
No problems since.

For me it is obvious that opening this specific website, or any javascript or banner-add is the cause of the spam e-mail. But some weeks before, opening opensubitles.org was not a problem. Where is the root cause then?

To you all, avoiding identity and password theft is easy. Complex and different passwords should be used for all accounts. Also we should keep in practice changing our passwords every week or every fortnight. For these use a safe password manager. I use a safe and secure password manager like EXQUIPASS to remember those complex passwords for me. I prefer Exquipass since it is straight forward and secure. Link for this is: http://www.exquisysltd.com/productinfo.php?p=DA01EX
With a tool like Exquipass, you can leave your password file everywhere, nobody will be able to get your passwords even if it is left on your computer. It strongly encrypts all your sensitive data. Carry your password files everywhere you want or leave it anywhere you want, your sensitive credential details will always be safe. Don’t let hackers gain over you!!!

got the same issue here. On the hotmail accout. It is an unguessable generated password. I am pretty security conscious. No idea how it was guessed.

Heya,how are you doing recently ? I would like to introduce you a very good company which i knew.Their website is .They can offer you all kinds of electronical products which you need like laptops ,gps ,TV LCD,cell phones,ps3,MP3/4,motorcycles etc……..Please take some time to have a check ,there must be somethings you ‘d like to purchase .

My guess, may be the provider is compromised. Hotmail, google or Yahoo employees/contractors leaked out a lot of accounts. Is that possible?

It happened to me today with Yahoo mail. Hundreds of mails sent with similar message. It took over both vacation message AND the signature page. I did not have vacation turned on. I have an antivirys and spyware running constantly (zonealarm) and it didn’t catch it (although there is a similar email quarantined under phishing, it still let it run- i think this came in this mornig.
i changed the password and deleted all the files and it seems to be ok for the rest of the day but i have no confidence in it staying spam free. And i do not like entering my email in this site…

I set Hotmail to open the mailbox automatically. With luck, resetting the password and not setting the account so it askes for my passowrd every time will fix this, unless they have downloaded all my contacts (unlikely, but not impossible). I have had dozens of bouncebacks, so many people’s spamcatchers are efficient and up to date.

“Dear friend:
how are you doing recently ? I would like to introduce you a very good company which i knew.They can offer you all kinds of electronical products which you need, such as motorcycles, laptops, mobile phones, digial cameras, TV LCD, xbox, ps3, gps, MP3/4, etc. Please take some time to have a look at it,there must be something you’d like to purchase.
the website: shop-2009.com
Their Email: [email protected]
Hope you have a good mood in shopping from their company!”

I’ve just changed my password and deleted almost all of my contacts so that nothing more gets sent to them. Any other or better ideas?